[ previous ] [ next ] [ threads ]
 From:  <lola at yais dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Traffic rules not working?
 Date:  Fri, 30 Jul 2004 12:11:02 +0200
> Von: "Jon Tackabury" <jtackabury at binaryfortress dot com>
> Datum: Thu, 29 Jul 2004 20:59:18 -0400
> An: <m0n0wall at lists dot m0n0 dot ch>
> Betreff: [m0n0wall] Traffic rules not working?
> I have 3 interfaces.  LAN, WAN and OPT1.  I set the rules to "Block anything
> from anywhere to anywhere" on OPT1... but when I ping a PC from a PC on the
> LAN interface, somehow the ICMP reply packets are getting through... if I
> said to block all traffic coming in OPT1, shouldn't it block that?

this is because of the default rule on the lan interface. lan is allowed to
connect to everthing everywhere. this rule "keeps state". this means that a
outgoing connection it is allowed to receive an answer even if incomming
connection are blocked.

read this:



> Also, how can I create a rule that says "Block this PC from the LAN to
> getting on the Internet".  I can create a rule that blocks them from getting
> to the "LAN Subnet" or the "OPT1 Subnet"... but there doesn't seem to be a
> way to block them from going out the WAN interface.

on lan interface create the rule:

"block" from "ip_of_your_host" to "! (<- this means not) lan subnet"

this rule will block everything from the client which is not directed to the
lan, i.e. internet.